Improve Heroku MFA experience

[andre5oto]

What are ways to improve the Heroku multi-factor authentication (“MFA”) experience now that it is a Salesforce requirement? Security controls will sometimes present bumps in the user experience, but we want to continue providing a high level of security while maintaining and improving ease of use for our users on the Heroku platform.

[andre5oto]

Already receiving good feedback for improving MFA in https://github.com/heroku/roadmap/issues/68. Please keep them coming.

[andre5oto]

Is an automated recovery method for a lost or misconfigured MFA verifier something that would be of interest to our users?

[sylvaindeloux]

Maybe add a "Remember me" feature?

[andre5oto]

@sylvaindeloux thank you for your comment. Can you elaborate a bit further on a "remember me" feature? Do you want the Heroku sign-in page to remember your email address (user id)?

[sylvaindeloux]

@andre5oto I'm talking about a "stay logged in" feature. I remember there was one before the integration of Salesforce authentication. It's much more convenient not to have to log again every 2 days. Or maybe you can just increase the session lifetime?

[razorjack]

There's a simple improvement that could be made to 2FA login process. While logins and passwords are properly auto-completed by password managers, the One Time Password field is not. The reason for this is that the text input that captures the OTP has autocomplete attribute set to off, making it impossible for the password managers to fill.

Please consider using autocomplete="one-time-code" attribute on the verification code input. It will indicate for password managers that it can be auto-completed with the OTP, making the 2FA login process super smooth for users who use their password managers as a second factor.

More info about this attribute can be found on the MDN docs page: https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes/autocomplete

[andre5oto]

@razorjack thank you for your great suggestion. We will add it to our list of improvements for MFA that we are beginning to plan for next fiscal year.

@sylvaindeloux to close the loop on our discussion, the maximum session lifetime is 10 days provided there is activity on your account within a 24hr period. Please see https://devcenter.heroku.com/changelog-items/2364.

[davetron5000]

Using a security key requires too many clicks. Flow should be:

1. Login
2. Plugin Security Key
3. Tap Security Key

Right now you have to click a button in a web UI before it asks you to do step 2/3. This wouldn't be a big deal, but the session timeout is very low so you end up doing this a lot.

[andre5oto]

@davetron5000, thanks for your feedback. Nothing drives me more crazy than too many unnecessary clicks. Let me see what we can do to improve this experience and not run afoul of any security requirements.

[andre5oto]

We haven't lost sight of improving our MFA UX. In fact, we began to look into passkeys with our security partner teams.